SRX

last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX 100H (11.2R4.3) : Cannot get fe-0/0/0 to speak to the outside world

    Posted 06-14-2013 02:53

    Hey,

     

    This is my first time playing with an SRX, and I'm a little stuck. Setup:

    fe-0/0/0 <--> ISP

    fe-0/0/1 <--> Server

     

    We have a publically addressed /27 we want to use internally. We want the SRX to be in ethernet-switch mode, however also respond on both loopback (lo0) and a vlan interface (vlan.0). As it stands right now, we can ping the server connected to the SRX, but we cannot hit the SRX. Our mac address table is populated correctly, as is our ARP table. 

    - From the Server, ISP gateway responds to ICMP. 

    - From the SRX, ISP gateway does not respond to ICMP. 

    - From the Server, SRX responds to ICMP, TCP

    - From outside, Server responds to ICMP

    - From outside, SRX responds to ICMP (as per tcpdump), but packet never reaches destination. 

     

    Looking at the outputs from tcpdump, I can see from the RE, we're sending the reply, however that return packet never reaches the source. I suspect that there's still some firewall-y weirdness happening, however since I'm not a firewall guy, I cannot find where. 

     

    Configuration:

    > show configuration | display set
    set version 11.2R4.3
    set system services ssh root-login allow
    set system services ssh protocol-version v2
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any info
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 20
    set system max-configuration-rollbacks 20
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members default
    set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members default
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members default
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members default
    set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members default
    set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members default
    set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members default
    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members default
    set interfaces lo0 unit 0 family inet address XXX.XXX.XXX.XXX/27
    set interfaces vlan unit 0 family inet address XXX.XXX.XXX.XXX/27
    set routing-options static route 0.0.0.0/0 next-hop XXX.XXX.XXX.XXX
    set security policies default-policy permit-all
    set security zones security-zone z1 host-inbound-traffic system-services all
    set security zones security-zone z1 host-inbound-traffic protocols all
    set security zones security-zone z1 interfaces all
    set vlans default vlan-id 1
    set vlans default l3-interface vlan.0

     

     

    If anyone could shed some light on this, that would be very helpful. 



  • 2.  RE: SRX 100H (11.2R4.3) : Cannot get fe-0/0/0 to speak to the outside world

    Posted 06-14-2013 04:39
    You can try after setting /32 instead of /27 based address on looback (lo0) interface.


  • 3.  RE: SRX 100H (11.2R4.3) : Cannot get fe-0/0/0 to speak to the outside world

    Posted 06-14-2013 04:44

    Hey,

     

    Thanks for the input. Switching the loopback to a /32 does not impact anything. What leads me to believe that it's some filtering issue is the fact that I cannot get the vlan.0 interface to talk to anything, however we can switch L2 frames across interfaces (It's just the RE that's not accessible remotely).

     

    Bearing in mind that we can communicate with the SRX with an L2-adjacent device, but not the upsteam gateway/internet, makes me think there is some policy hiding somewhere (The config I pasted is only missing hostname and user auth details). 

     

    Cheers! 



  • 4.  RE: SRX 100H (11.2R4.3) : Cannot get fe-0/0/0 to speak to the outside world
    Best Answer

    Posted 06-14-2013 04:51

    Hi Ruairi,

     

    The loopback must be /32, but try removing it from the configuration altogether:

     

    deactivate interfaces lo0

     

    and test again.  The issue seems to be routing related - and have overlapping subnets on two different interfaces (lo0.0 and vlan.0).

     

    Also, when running ping from SRX to ISP, get the output of "show security flow session protocol icmp" and check which interface traffic is leaving on.

     

    Also - is the default gateway in the same range as the /27?



  • 5.  RE: SRX 100H (11.2R4.3) : Cannot get fe-0/0/0 to speak to the outside world

    Posted 06-14-2013 09:56

    Bang on the money, working now. Thank you. 

     

     



  • 6.  RE: SRX 100H (11.2R4.3) : Cannot get fe-0/0/0 to speak to the outside world

    Posted 06-14-2013 04:52
    Hiya,

    there are no hidden filters in SRX. Since you are able to ping RE (vlan.0) internally, it means apparently there is no filtering issue.

    Better check default gateway or ISP routing.

    Regards